You can no longer afford to be reactive with security. Instead of waiting to notice an attack, assume that you are vulnerable and have already been attacked. †Assume there is an infringement” is a security principle that says to act as if all your resources — applications, networks, identities, and services, both internal and external — are insecure and already compromised, and you just don’t know it.
One way to find out is by using “deception technologies”: lure resources into strategic parts of your network with extra monitoring that you can fool attackers into chasing them – keeping them out of your real systems and showing them while they sniff around.
Setting a trap to expose cyberattacks
“Adversaries often start ‘in the dark’ after a successful compromise, unsure of exactly which systems they have access to, what they do and how they are connected to different parts of an organization. During this reconnaissance phase, an adversary is most likely to contact other services and systems,” Ross Bevington, principal security researcher at the Microsoft Threat Intelligence Center, told TechRepublic.
That’s true deception technology like honeypots (infrastructure that looks like a real server or database but doesn’t run a live workload), honeytokens (enticing objects in real workloads you’re already using), and others come in. “By imagining themselves as systems or services, an attacker can be interested in, but not actually used in, business processes, constructing hi-fi detection logic that alerts the security team to post compromised activities,” Bevington said.
Deception technology works best when it’s difficult to tell the difference between a real system and something fake from a distance, he explained: That way the attacker wastes time on the decoy.
In addition, you now know that the attacker is there. Since there is no legitimate reason to access those resources, anyone who tries it is clearly unfamiliar with your system. It could be a new employee who needs training (also good to know), but it could also be an attacker.
You can use deception as intrusion detection, like a tripwire, or you can intentionally expose it (which is what Microsoft itself does) “…as a way to gather threat intelligence about what adversaries might be doing before the compromise,” he said.
“In any case, the goal of deception technology is to significantly increase the cost to the attacker and lower that to the defender,” Bevington said.
Some deception techniques require more work. “Many customers are taking steps to adapt their lures, decoys and traps to the way they work,” Bevington told us.
But running additional infrastructure takes time and comes at a cost. You also need to make it look like a legitimate workload without copying sensitive information, otherwise the attacker will know it’s fake. And the security team running a honeypot don’t always know what real workloads look like the way administrators and operations teams do, but until now, software engineering teams didn’t have many tools to set these kinds of traps (even as if the “shift left”- philosophy of devops means they are more involved in security).
SEE: Mobile Device Security Policy (Tech Republic Premium)
Enter honeytokens: fake tokens that you plant in your existing workloads with legitimate-looking names that match your real resources. They’re inexpensive and easy to deploy, can handle as many workloads as you’re running, and they’re low-maintenance. Once set up, they can generally be left for months or years with no extra effort to maintain them, Bevington says. “Tokens are now more commonly used as a cheap, powerful way to capture a full array of opponents.”
The downside is that you don’t get a deep understanding of who an opponent is or what they’re trying to do if they stumble upon a honeytoken; a honeypot gives a security team more information about the attacker.
Which one you need depends on your threat model, emphasizes Bevington. “Honeypots have the potential to give defenders significant amounts of threat intelligence about who the attacker is and what they want to achieve, but at a higher cost because honeypots require CPU and memory and are either installed on a machine or virtual machine and require constant attention for maintenance.” Many organizations don’t need that extra information and may feel that tokens are enough.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Honey Tokens Made Easy
Microsoft has been using deception techniques for some time now, as so many attackers try to access Microsoft services and customer accounts (this is part of what Microsoft calls its “sensor network”). “We’ve seen great value in embedding technology like tokens and honeypots into our internal security posture,” Bevington said. That deception data has helped Microsoft analysts find new threats to Windows, Linux and IoT devices. Uncovering an open Docker API server found attackers who: uses the Weave Scope monitoring framework to compromise containersand other deception technologies revealed what IoT looks like Cinema and trick bot Attacking IoT devices.
Once it discovers the ways in which attackers compromise infrastructure, Microsoft can add protections to its Defender services for those specific attacks. It’s been too making misleading data available to researchers look for ways to automate the processing of that data for discovery.
But with the new Microsoft Sentinel Deception (Honey Tokens) Solution Placing decoy keys and secrets in Azure Key Vault does not require you to be a security expert to perform deception technologies. “One of the goals of Sentinel and our recently released Azure Key Vault token preview is to reduce the complexity of deploying these solutions so that any organization interested in this technology can deploy them easily and securely,” said Bevington.
It contains analytics rules to monitor honeytoken activity (including an attacker attempting to disable that monitoring) and workbooks for deploying honeytokens (as well as recommendations in Azure Security Center) and investigating honeytoken incidents. Honey tokens are named based on your existing keys and secrets, and you can use the same keyword prefixes you use for your real tokens.
It may seem counterintuitive to effectively invite attackers to a service as important as Azure Key Vault, but you’ll really only find out if you’ve properly secured the service with options like managed identity. With honeytokens masquerading as secrets and access credentials, “the keys are such an important reward to an adversary that they can spend significant resources accessing this data,” Bevington noted. It’s important to put in place basic security hygiene processes and practices, such as MFA and passwordless authentication, and make sure you closely monitor alerts for your honeytokens or other deception technologies.
Think of this as a new layer in your defense. In addition to tricking real attackers into going after fake resources, you can also see what a real attack would look like, for example by simulating denial-of-service attacks on resources you protect with Azure services using services like Red Button or BreakingPoint Cloud† Try exploring your own systems with Red Team tools like storm spotter that show you which resources in your Azure subscriptions are visible, so you know what an attacker would see if they started looking around.
Using what you learn about how attackers behave through deception techniques to protect your real assets can help you stay one step ahead.
